CCPA presents regulatory concerns for companies in Seoul but could lead to changes in South Korean privacy law

South Korean companies targeting the US market are likely to feel the regulatory tremors created by the new privacy law in California, especially those in the gaming and IT industries, sectors where the US market is perhaps the most lucrative.

Uncertainties and legal risks stemming from the California Consumer Privacy Act, or CCPA, have already created waves of concern for South Korean companies over issues of compliance. But for now, many seem to be taking a wait-and-see approach, seeking to assess the potential impact and scope of applicability of the law. More broadly, the CCPA could ultimately lead to further amendments to South Korea’s Personal Information Protection Act, or PIPA.

Game publishers at risk

For South Korea, privacy experts think that it will be gaming and Internet of Things, or IoT, companies that have the most potential to feel the pressure of the CCPA.

"Game publishers were probably the first ones to react to the GDPR [the European Union's General Data Protection Regulation]," explained Kim Do-yeup, a privacy lawyer at South Korean law firm BKL. "Also, the unique aspect about the CCPA is that the scope of personal information is broad to include ‘inferences’ and even household data that can be collected through IoT devices."

For example, NCSOFT, one of the largest game publishers in South Korea, which has offices in the US including ones in Aliso Viejo and San Mateo, California, in 2019 recorded 92.60 billion won ($77.67 million) in revenue from the US and Europe. In total, the company’s global revenue came to 1.7 trillion won last year according to its earnings release.

“NCSOFT and NSCOFT West treat matters of player privacy with utmost concern,” a spokesperson for NCSOFT told MLex. “As we have done with the GDPR, we will work with our legal and data-privacy teams to ensure compliance with the CCPA and similar legislation in a transparent manner.”

South Korean electronics giants are also global leaders in IoT devices. In addition, many South Korean startups are developing IoT devices and services, with the US market, one of the largest electronics markets in the world, ultimately in mind.

The million-dollar question for South Korean companies is the applicability of the CCPA, according to Kim.

“The first thing South Korean companies must figure out is whether the law actually applies to their businesses or not, and it seems like a growing number of South Korean firms are becoming curious about this,” Kim said.

The CCPA applies to any company with at least $25 million in revenue or that trades significantly in personal data of California's 40 million residents. The enforcement by the California attorney general of the privacy rights bestowed by the CCPA won't begin until July 1.

But ambiguities make it difficult to determine precisely whether a company is at risk.

“There are some uncertainties at the moment regarding the applicability [of the law],” said Kim. “For instance, does the $25 million-a-year revenue threshold refer to the global revenue or the revenue derived only from the US market or more specifically from the Californian market?”

Also, services offered by South Korean Internet companies are expected to be used widely by the Korean-American population in California, although such services are not necessarily intended for the US market. Such companies have yet to figure out whether they need to take steps to meet the obligations created by the CCPA.

Another risk factor is the possibility of class-action suits, which do not exist in South Korea but could potentially lead to millions of dollars worth of settlements, a significant threat for smaller South Korean firms.

Because of such ambiguity, the first few cases under the CCPA will suggest how aggressive the law will be enforced and South Korean companies are waiting for these “exemplary cases,” as they did with the GDPR.

Differences between the CCPA and PIPA

South Korean companies will also have to consider carefully differences between the CCPA and PIPA, which could ultimately lead to changes in the South Korean law in the future.

For starters, what qualify as exceptions to deletion requests is more comprehensive in the CCPA, such as for  freedom of the press, whereas under PIPA, requests for deletion can be denied only when “other Acts and subordinate statutes stipulates the particular personal information be collected.”

More notably, the CCPA puts certain levels of constraint on the sale of personal data, and some experts think that this could catch the attention of South Korean civic groups — advocates for stronger privacy laws — and similar provisions could be brought into the South Korean regulatory system in the future.

Companies that sell data to third parties are required to provide an accessible and easy-to-use link on their website to opt out of data sales, otherwise they could immediately be held liable.

“The CCPA distinguishes between collection and sale of personal data, and restrictions on the latter will be the key issue to watch for,” Kim explained. “South Korean companies must check whether they sell personal data of Californians to other companies, and given the wide concept of sale under the CCPA, as indicated by the text ‘other variable consideration,’ it is likely that many activities fall under this category.”

Such constraints, however, do not exist in PIPA.

“In South Korean [privacy] law, there is no specific limit on the sale of personal information, nor is there anything about consent being required for the specific purpose of sale,” Kim said. “Companies are only required to get consent for the provision of data to third parties, which is a similar concept to the EU’s controller-to-controller data processing.”

Lack of such specific constraints have caused some controversy in the past.

In 2015, it was discovered that large South Korean retailer Homeplus sold personal information of customers who signed up for a lottery prize to local insurance companies, raking in billions of won in profits from the sale. Last year, it was ruled by the country’s Supreme Court that Homeplus violated PIPA and thus must pay fines. Essentially, Homeplus was not found guilty of selling the personal data or not giving people the opportunity to opt out of the sale, but rather for obtaining consent through a method that was not considered a “social norm” — namely, the font used for the text notifying the purpose of the data collection was too small.

Before the CCPA, the GDPR had been the bible for South Korean privacy officials.

Concepts that exist in the GDPR, such as pseudonymization and compatibility (the latter allowing businesses to use data without additional consent if it does not deviate drastically from the initial purpose of collection) did not exist, but were recently introduced in South Korea. The requirement for qualifying companies to employ designated privacy officers was also introduced following similar requirement in the GDPR.